A proposal regarding exemptions for financial Institutions from annual privacy notice requirements has been issued July 1 , 2016 by the Consumer Financial Protection Bureau. (Initial privacy disclosure requirements continue.) Comments will be due to the CFPB thirty days from the proposal’s publication in the Federal Register. (Including the time it takes to publish the proposal, this could be around the third week in August.)
Congress provided new exemption authority for financial institutions as part of the FAST Act in December under The ‘Eliminate Privacy Notice Confusion’ amendment by adding a section to the Gramm-Leach-Bliley Act, 503(f).
The CFPB proposal would implement the December 2015 amendment to the GLBA and amend § 1016.5 of Regulation P to provide that a financial institution is not required to deliver an annual privacy notice if it:
(1) Provides nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of Reg P under § 1016.13, § 1016.14, or § 1016.15( for examples, pursuant to certain joint marketing arrangements; disclosures relating to maintaining and servicing accounts, securitization, law enforcement and compliance, and consumer reporting; and other disclosures described in the GLBA and Regulation P as exceptions to the opt-out requirement);
(2) Has not changed its policies and practices with regard to disclosing nonpublic
personal information from the policies and practices that were disclosed to the member in the most recent privacy notice already provided.
The proposal would clarify that privacy notice provisions only apply to financial institutions (by amending the definition of ‘You’ under the rule).
The CFPB’s proposal would also address the timing of annual notices if an institution changes its nonpublic personal information sharing policies and practices so that it no longer qualifies for an exemption from the annual notice requirement. If a revised initial privacy notice is triggered, the first annual privacy notice must be provided by December 31 of the next year after the change, consistent with current requirements. Under the existing rule, a revised notice is required for example, because the institution wants to disclose a new category of nonpublic personal information to any nonaffiliated third party. If an institution changes its policies or practices but does not trigger requirements for a revised initial privacy notice, the first annual privacy notice must be provided within 60 days of the change.
The CFPB notes that institutions that qualify now for the alternative delivery of annual notices on their websites would qualify for the exemption under the proposal. The CFPB is proposing to eliminate the alternative delivery method from the rule, however, since institutions would likely want the exemption rather than continuing to provide annual notices via any delivery method.
The statutory exception to the annual notice requirement is already effective. The CFPB’s proposed changes to Regulation P would be effective 30 days after a final rule is published in the Federal Register.
Comment letters to the CFPB on the proposal should be identified by Docket No. CFPB-2016-0032 or RIN 3170-AA60 and may be filed electronically to http://www.regulations.gov. or mailed to Monica Jackson, Office of the Executive Secretary, Consumer Financial Protection Bureau, 1700 G Street, NW., Washington, DC 20552.
CU, Counsel, Pllc
July 5, 2016